SecurityFocus

CSRF through POST Dec 15 2009 12:57AM
Robin Wood (dninja gmail com) (2 replies)

Re: CSRF through POST Dec 22 2009 08:00AM
Himanshu Goyal (idhimanshu gmail com)

Re: CSRF through POST Dec 16 2009 04:37PM
arvind doraiswamy (arvind doraiswamy gmail com) (1 replies)

Re: CSRF through POST Dec 16 2009 04:47PM
Robin Wood (dninja gmail com) (2 replies)

Re: CSRF through POST Dec 24 2009 10:26AM
Amish Shah (amish net-square com) (1 replies)

Hi Robin,

You find CSRF through POST with example at,

http://blog.runxc.com/post/2009/07/06/CSRF-by-Example-How-to-do-it-How-t
o-defend-it.aspx

--Amish

Robin Wood wrote:
> 2009/12/16 arvind doraiswamy <arvind.doraiswamy (at) gmail (dot) com [email concealed]>:
>
>> Hey Robin,
>> You shouldn't worry about GET or POST. A CSRF will happen in both
>> places. Its just that the GET is easier and more visible.
>>
>> For a POST you could either use OWASP's CSRF Tester to record and
>> replay a request. Or you could create a HTML page manually with all
>> hidden variables and just a button as a POC.
>>
>
> It is this bit I was after info on, I could think of a way that I
> would attempt a POST but wanted to see research others had done.
>
> As it turns out I've had quite a few good leads passed across, thanks
> to everyone. Most work in a similar way but all have slight variations
> that are useful to know about when trying to work out the best way to
> attack a target.
>
> Robin
>
>
>> Cheers
>> Arvind
>>
>> On Tue, Dec 15, 2009 at 6:27 AM, Robin Wood <dninja (at) gmail (dot) com [email concealed]> wrote:
>>
>>> Hi
>>> Can anyone point me at any good papers on doing CSRF through POST
>>> parameters? I've found some sites with redirect scripts which help
>>> performing the attack but no good write-ups on different ways to
>>> perform it.
>>>
>>> Robin
>>>
>>>
>>>
>>> This list is sponsored by Cenzic
>>> --------------------------------------
>>> Let Us Hack You. Before Hackers Do!
>>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>>> Request Yours Now!
>>> http://www.cenzic.com/2009HClaunch_Securityfocus
>>> --------------------------------------
>>>
>>>
>>>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
>

--
Amish Shah
Chief Technology Officer
Net Square Solutions Pvt. Ltd.
amish (at) net-square (dot) com [email concealed]
http://net-square.com/
+91 98257 09665

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]

Re: CSRF through POST Dec 27 2009 05:55AM
YGN Ethical Hacker Group (lists yehg net)

RE: CSRF through POST Dec 21 2009 01:47PM
boaz shunami rsa com (1 replies)

Re: CSRF through POST Dec 22 2009 03:59AM
chr1x (chr1x sectester net) (1 replies)

Re: CSRF through POST Dec 22 2009 09:22AM
Robin Wood (dninja gmail com)